Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 22, 2021, 10:05 p.m.	Sept. 22, 2021, 10:37 p.m.

Size	492.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d362ffc6b594c617852f20b87ab4bbef`
SHA256	`f7031a211f3a084ce9b215e9faf438125d11cf1daf963b9ec0d994a66dee6df0`
CRC32	`00FA09BB`
ssdeep	`12288:X4k4DbF53e0IUFLK5QwEz+903isUwVu09nqYeJ2VCjWiJ:COVEz+9pRiu09nqHoUii`
PDB Path	C:\Users\Administrator\Desktop\Client\Temp\vSrKLFEZNe\src\obj\Debug\StreamWrapp.pdb
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
1280
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  2440

Name	Response	Post-Analysis Lookup
www.indianajones.club
www.dindigulvysya.com	A 142.111.57.185	142.111.57.185
www.hiphopventuresllc.com	A 184.168.131.241 CNAME hiphopventuresllc.com	184.168.131.241
www.urfavvpimp.com
www.youcanaskmeto.review	A 99.83.154.118	99.83.154.118
www.omelhorcurso-online.com	A 108.179.193.173 CNAME omelhorcurso-online.com	108.179.193.173
www.yourdoor.pro	A 34.98.99.30 CNAME yourdoor.pro	34.98.99.30
www.authorjameswshepherdonline.com	CNAME authorjameswshepherdonline.com A 34.102.136.180	34.102.136.180
www.groundedheavens.com	A 45.84.204.115 CNAME groundedheavens.com	45.84.204.115
www.overseaexpert.com	CNAME overseaexpert.com A 34.98.99.30	34.98.99.30

IP Address	Status	Action
108.179.193.173	Active	Moloch
142.111.57.185	Active	Moloch
164.124.101.2	Active	Moloch
184.168.131.241	Active	Moloch
34.102.136.180	Active	Moloch
34.98.99.30	Active	Moloch
45.84.204.115	Active	Moloch
99.83.154.118	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49167 -> 184.168.131.241:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 184.168.131.241:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 184.168.131.241:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 34.98.99.30:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 34.98.99.30:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 34.98.99.30:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 142.111.57.185:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 142.111.57.185:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 142.111.57.185:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 45.84.204.115:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 45.84.204.115:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 45.84.204.115:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 108.179.193.173:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 108.179.193.173:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 108.179.193.173:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 99.83.154.118:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 99.83.154.118:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 99.83.154.118:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 34.98.99.30:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 34.98.99.30:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 34.98.99.30:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 22, 2021, 10:05 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 22, 2021, 10:05 p.m.			0	0
IsDebuggerPresent Sept. 22, 2021, 10:05 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\Desktop\Client\Temp\vSrKLFEZNe\src\obj\Debug\StreamWrapp.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 22, 2021, 10:05 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.yourdoor.pro/nthe/?sXUXkXC=Dq5BsXUmPYRXCS8xthBTWjkRhfDO71d0Wvsss7JChqmMe/U7sfw/yBC80fv6eqyp12jevQhj&C8bDp=9rCl-NqhJxSHIVX
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.hiphopventuresllc.com/nthe/?sXUXkXC=51bJujFLc20tCGhu7cUDilKkV4KkFhJHHXn1Y5i26+oUR3M5D54rlSoo8Sdfyw6fYNd6zl42&C8bDp=9rCl-NqhJxSHIVX
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.overseaexpert.com/nthe/?sXUXkXC=adxOK3g9xsmhNSl6zOCArJK3IjARKLYzTcZUoFouid4O6Rc3eBhLcBKKwAzfnZ9D6vACWWi7&C8bDp=9rCl-NqhJxSHIVX
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.omelhorcurso-online.com/nthe/?sXUXkXC=+G+47tg96cSZsPTY4vQ6+M2bANvEiiHc3iFTamgPVtuV9OX9HGHgOIGgcb7RmpWuhV230ped&C8bDp=9rCl-NqhJxSHIVX
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.groundedheavens.com/nthe/?sXUXkXC=jMh6XVcpP4sc/0PftgVatAqq1KiqQ/Stgmq51Wal6sqYysHl9H3jG9aEYQHs+6lqbRvbBIdu&C8bDp=9rCl-NqhJxSHIVX
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.dindigulvysya.com/nthe/?sXUXkXC=+/hswLtkVvxszb1LNJLvqPb4ftc8Z6fRWBGZvwAoEVOzYphMk7n88H70z+5DzUEh7x+oQhg1&C8bDp=9rCl-NqhJxSHIVX
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.authorjameswshepherdonline.com/nthe/?sXUXkXC=enVshZ5pBP6SFOr7VKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKpqOeleCJ7dZ6IlpMeU4S&C8bDp=9rCl-NqhJxSHIVX
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.youcanaskmeto.review/nthe/?sXUXkXC=ctP9xmzI7lxydl9Y/YLT6bX/j9MPsOdNwwipT7HjIg8o+wS2Lz1BcfNN8PnCTvuZYgy3g6FL&C8bDp=9rCl-NqhJxSHIVX

Performs some HTTP requests (8 events)

request	GET http://www.yourdoor.pro/nthe/?sXUXkXC=Dq5BsXUmPYRXCS8xthBTWjkRhfDO71d0Wvsss7JChqmMe/U7sfw/yBC80fv6eqyp12jevQhj&C8bDp=9rCl-NqhJxSHIVX
request	GET http://www.hiphopventuresllc.com/nthe/?sXUXkXC=51bJujFLc20tCGhu7cUDilKkV4KkFhJHHXn1Y5i26+oUR3M5D54rlSoo8Sdfyw6fYNd6zl42&C8bDp=9rCl-NqhJxSHIVX
request	GET http://www.overseaexpert.com/nthe/?sXUXkXC=adxOK3g9xsmhNSl6zOCArJK3IjARKLYzTcZUoFouid4O6Rc3eBhLcBKKwAzfnZ9D6vACWWi7&C8bDp=9rCl-NqhJxSHIVX
request	GET http://www.omelhorcurso-online.com/nthe/?sXUXkXC=+G+47tg96cSZsPTY4vQ6+M2bANvEiiHc3iFTamgPVtuV9OX9HGHgOIGgcb7RmpWuhV230ped&C8bDp=9rCl-NqhJxSHIVX
request	GET http://www.groundedheavens.com/nthe/?sXUXkXC=jMh6XVcpP4sc/0PftgVatAqq1KiqQ/Stgmq51Wal6sqYysHl9H3jG9aEYQHs+6lqbRvbBIdu&C8bDp=9rCl-NqhJxSHIVX
request	GET http://www.dindigulvysya.com/nthe/?sXUXkXC=+/hswLtkVvxszb1LNJLvqPb4ftc8Z6fRWBGZvwAoEVOzYphMk7n88H70z+5DzUEh7x+oQhg1&C8bDp=9rCl-NqhJxSHIVX
request	GET http://www.authorjameswshepherdonline.com/nthe/?sXUXkXC=enVshZ5pBP6SFOr7VKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKpqOeleCJ7dZ6IlpMeU4S&C8bDp=9rCl-NqhJxSHIVX
request	GET http://www.youcanaskmeto.review/nthe/?sXUXkXC=ctP9xmzI7lxydl9Y/YLT6bX/j9MPsOdNwwipT7HjIg8o+wS2Lz1BcfNN8PnCTvuZYgy3g6FL&C8bDp=9rCl-NqhJxSHIVX

Allocates read-write-execute memory (usually to unpack itself) (43 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6edb2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00acb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00acc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00acd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ace000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00acf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ba1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 2440 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0007a800', u'virtual_address': u'0x00002000', u'entropy': 7.471071181902417, u'name': u'.text', u'virtual_size': u'0x0007a6a0'}

entropy

7.4710711819

description

A section with a high entropy has been found

entropy

0.99593495935

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 22, 2021, 10:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 2440 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000320	1	0	0

A process attempted to delay the analysis task. (1 event)

description

vbc.exe tried to sleep 2728445 seconds, actually delayed analysis time by 2728445 seconds

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 22, 2021, 10:05 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL1 Uà p0Ð@@.textàop ` base_address: 0x00400000 process_identifier: 2440 process_handle: 0x00000320	1	1	0
WriteProcessMemory Sept. 22, 2021, 10:05 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2440 process_handle: 0x00000320	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 22, 2021, 10:05 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL1 Uà p0Ð@@.textàop ` base_address: 0x00400000 process_identifier: 2440 process_handle: 0x00000320	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1280 called NtSetContextThread to modify thread in remote process 2440
NtSetContextThread Sept. 22, 2021, 10:05 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000031c process_identifier: 2440	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1280 resumed a thread in remote process 2440
NtResumeThread Sept. 22, 2021, 10:05 p.m.	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 2440	1	0	0

Executed a process and injected code into it, probably while unpacking (12 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 22, 2021, 10:05 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1280	1	0
NtResumeThread Sept. 22, 2021, 10:05 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1280	1	0
NtResumeThread Sept. 22, 2021, 10:05 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 1280	1	0
NtResumeThread Sept. 22, 2021, 10:05 p.m.	thread_handle: 0x00000308 suspend_count: 1 process_identifier: 1280	1	0
CreateProcessInternalW Sept. 22, 2021, 10:05 p.m.	thread_identifier: 1988 thread_handle: 0x0000031c process_identifier: 2440 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000320	1	1
NtGetContextThread Sept. 22, 2021, 10:05 p.m.	thread_handle: 0x0000031c	1	0
NtAllocateVirtualMemory Sept. 22, 2021, 10:05 p.m.	process_identifier: 2440 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000320	1	0
WriteProcessMemory Sept. 22, 2021, 10:05 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL1 Uà p0Ð@@.textàop ` base_address: 0x00400000 process_identifier: 2440 process_handle: 0x00000320	1	1
WriteProcessMemory Sept. 22, 2021, 10:05 p.m.	buffer: base_address: 0x00401000 process_identifier: 2440 process_handle: 0x00000320	1	1
WriteProcessMemory Sept. 22, 2021, 10:05 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2440 process_handle: 0x00000320	1	1
NtSetContextThread Sept. 22, 2021, 10:05 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000031c process_identifier: 2440	1	0
NtResumeThread Sept. 22, 2021, 10:05 p.m.	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 2440	1	0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Lionic	Trojan.MSIL.Noon.l!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37582058
FireEye	Generic.mg.d362ffc6b594c617
ALYac	Trojan.GenericKD.37582058
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/runner.ali1000123
K7GW	Trojan ( 005824e81 )
K7AntiVirus	Trojan ( 005824e81 )
Arcabit	Trojan.Generic.D23D74EA
Cyren	W32/MSIL_Kryptik.FNH.gen!Eldorado
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of MSIL/Kryptik.ACTS
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Pwsx-9893004-0
Kaspersky	HEUR:Trojan-PSW.MSIL.Stealer.gen
BitDefender	Trojan.GenericKD.37582058
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Trojan.GenericKD.37582058
Sophos	Mal/Generic-R + Troj/MSIL-RRB
DrWeb	BackDoor.SpyBotNET.25
McAfee-GW-Edition	RDN/Generic PWS.y
Emsisoft	Trojan.Crypt (A)
Ikarus	Trojan.MSIL.Inject
Jiangmin	TrojanSpy.MSIL.btmv
Webroot	W32.Trojan.Msil.Agensla
Avira	TR/Kryptik.ypevl
Microsoft	Trojan:MSIL/AgentTesla.R!MTB
GData	Trojan.GenericKD.37582058
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.PWSX-gen.C4632385
McAfee	RDN/Generic PWS.y
MAX	malware (ai score=84)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.MalPack.ADC
TrendMicro-HouseCall	TROJ_GEN.R002H0CIG21
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Kryptik.ZXG!tr
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A
MaxSecure	Trojan.Malware.300983.susgen

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All